Secure your small business:
Apps → Data →

Iranian state hackers targeted satellite, defense organizations worldwide

September, 2023
Quick definition  ⓘ
Why it matters: This cyber espionage campaign by Iranian state-linked hackers underscores the ongoing threat to critical industries and the use of increasingly sophisticated techniques in cyberattacks.
Number of data records exposed by cybersecurity breaches in 2021.

Key Points

    A hacking group connected to the Iranian government, known as Peach Sandstorm (formerly Holmium), has launched a cyber espionage campaign targeting satellite, defense, and pharmaceutical organizations worldwide. Microsoft has reported that the campaign, which ran from February to July, involved password spraying techniques to gain unauthorized access to targeted systems, with the ultimate aim of collecting intelligence in support of Iranian state interests. The group utilized a mix of publicly available and custom tools and tried to exploit known vulnerabilities in systems.
© Dezzor |

Quick Read

A hacking group believed to be associated with the Iranian government, identified as Peach Sandstorm (previously known as Holmium), has conducted a cyber espionage campaign targeting organizations in the satellite, defense, and pharmaceutical sectors on a global scale. Microsoft, which has been tracking the group's activities, revealed that the campaign ran from February to July and focused on infiltrating these critical industries to collect intelligence "in support of Iranian state interests."

The attackers employed a variety of tactics and techniques to gain unauthorized access to the targeted systems. One notable approach used was "password spraying," where hackers tried a single password or a list of commonly used passwords to breach accounts. Despite its apparent simplicity, password spraying is an effective technique as it increases the likelihood of success and reduces the risk of triggering automatic account lockouts.

While Microsoft did not disclose the specific countries targeted, recent attacks linked to Iranian state-backed hackers have primarily concentrated on nations like Israel, the United States, Brazil, and the United Arab Emirates.

Peach Sandstorm has a history of utilizing password spraying in its previous cyber operations, which also encompassed industries such as aerospace, defense, chemicals, and mining. Once the group successfully compromises a target, their attacks become more intricate. Microsoft observed the hackers using tools like AzureHound and Roadtools to collect information from a victim's system, access data in a target's cloud environment, and transfer specific data of interest to a single database.

Additionally, the attackers installed the Azure Arc client on compromised devices, linking them to their Azure subscription. This granted the hackers control over the targeted devices through their cloud infrastructure. The group also attempted to exploit known vulnerabilities, including one in Zoho ManageEngine, used for IT service management, and in the team collaboration tool Confluence.

To maintain access to their targets, Peach Sandstorm used AnyDesk, a commercial remote monitoring and management tool. Notably, U.S. cybersecurity authorities have warned against the misuse of such tools, as they can provide an "easy way to circumvent security systems and establish longstanding access to victim networks."

Microsoft expressed concern over the capabilities exhibited in this campaign, emphasizing that even initial access by foreign hackers can adversely impact the victims. As cyber threats continue to evolve and become more sophisticated, organizations must prioritize robust cybersecurity measures to protect their sensitive data and networks from such incursions.

In a related development, researchers recently uncovered a new backdoor tool used by suspected Iranian hackers against targets in Brazil, Israel, and the United Arab Emirates. Known as Ballistic Bobcat or Charming Kitten, this group deployed the tool to target at least 34 victims, primarily in Israel, between March 2021 and June 2022, as reported by cybersecurity company ESET. Furthermore, a recent Microsoft report highlighted that Iranian state-backed hackers are increasingly employing influence operations to amplify the impact of conventional cyberattacks and advance Tehran's political agenda in countries like Israel and the United States.

Further Reading

—Jess Hofmann

Need Data Breach solutions?
We can help!

Plurilock offers a full line of industry-leading cybersecurity, technology, and services solutions for business and government.

Talk to us today.


Thanks for reaching out! A Plurilock representative will contact you shortly.

What Plurilock Offers
SSO, CASB, and DLP with Real-Time Passive Authentication

More to Know

Quick Definition

A Data Breach is a situation in which information security has failed, enabling sensitive data of any kind to be accessed by unauthorized individuals despite whatever protections were in place. Data breaches have become a particular concern in recent years because such stolen data is often subsequently distributed widely, in particular on the dark web, where it is often aggregated and sold for illicit activity, identity theft, or further cyberattacks of various kinds.

Subscribe to the newsletter for Plurilock and cybersecurity news, articles, and updates.

You're on the list! Keep an eye out for news from Plurilock.